Privacy works best when the right person is in the right place, at the right time, asking the right questions. That's according to Microsoft CPO Brendon Lynch, CIPP/US, who spoke in Brussels recently alongside IAPP Publications Director Sam Pfeifle and Accenture Senior Director of Data Privacy Florian Thoma, FIP, CIPM, CIPP/E, CIPP/US.
Lynch and Thoma were at the IAPP's Data Protection Congress to talk about the role of the mandatory data protection officer. Under Article 37 of the General Data Protection Regulation, public authorities, as well as entities whose core activities involve "regular and systematic monitoring of data subjects on a large scale," or that control or process special categories of personal data,
"My hope is certainly that it's not this niche independent role, because that has all the potential to be less strategic if you're not involved in decision making and just adjudicating after the fact." -Brendon Lynch, Microsoft
The DPO's role, in part, will be to communicate with and be a representative of a company's or public entity's data protection authority. Which raises the question: Can the DPO play a role arm-in-arm with the supervisory authority while still strategically advising the company? Or should the DPO be a truly independent role, almost outside of operations?
"I think it remains to be seen," Lynch said. "My hope is certainly that it's not this niche independent role, because that has all the potential to be less strategic if you're not involved in decision making and just adjudicating after the fact. I personally think it works best if the CPO/DPO role is strategic and involved in key decision making around business models that involve data, so they can be influential in that role, rather than it being this audit function on the side."
While independent audits are important, Lynch said they shouldn't exist within the DPO role.
At Accenture, Thoma said, there are people playing the DPO role, but nontheless, the company plans to invest in headcount, "because we believe the GDPR is a kind of opportunity to revise what we have and make changes where needed. That's the way we took the GDPR, as an opportunity to look at, 'Do we have the right approach; do we want to make changes?'"
Accenture does see the DPO as an extended arm of the supervisory authority, Thoma said. He said he sees an inherent conflict of interest for a DPO to be seated within certain areas of the organization. Human resources, for example. How can a position that's expected to be the eyes and ears of the DPA within the company also be involved in collecting data as sensitive as that which an HR department collects and still be objective about what's happening there?
But Lynch feels differently. While he acknowledges that there are different cultures within different companies and in different countries and understands the DPO will likely often be an independent role, he doesn't think that's necessarily the right approach.
"In some ways I reject the notion in this context," he said. "What it implies is that the privacy goals and the business goals are in conflict." And that's not the goal.
"Fundamentally, you should not oversee what you're doing yourself." -Florian Thoma, Accenture
But Thoma said sometimes it's just important to have someone who's positioned to maybe see things through another lens, while still working toward the same goal. However, he said, "fundamentally, you should not oversee what you're doing yourself."
Lynch countered, though, using the analogy of a restaurant, where food and safety is important.
"You want all the chefs to have a certain level of proficiency, and they are in the kitchen all the time so in the best position to spot where issues are going wrong," he said. "That might work better than having an office manager who doesn't see the day to day. Is it better to be someone embedded within, who's more influential with changing practices than with being an outside auditor?"
As for whether the DPO function should be taken on by someone already performing similar duties at organizations, Thoma said DPOs should be called such and be recognized for the role they're performing at the company. But he said the DPO should be in charge of "just a couple of countries, a couple of entities as needed." It shouldn't be one-size-fits-all. Otherwise, the DPO, in certain cases hired at companies with 500 or 600 legal entities, would need to delegate much of his or her role to other people.
That being said, size matters. A company as small as his local bakery, which happens to be processing data like email addresses, for example, doesn't need a DPO. On the other hand, a processor like a notary public perhaps could benefit from some privacy advice from someone who understands the business.
"Probably not as part of their organization, but, you would outsource that job," Thoma said.